Personal data is information that relates to a living individual who can be identified by that data, or by a combination of that data and other information in possession of the data controller.

It includes names, identification numbers, location data, online identifiers, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual.

Personal data also includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual.

The impact of Brexit on the GDPR

The GDPR takes effect from 25 May 2018. As it will take two years from the moment Article 50 of the Lisbon Treaty is invoked, for Britain’s exit from the EU to be finalised, there is certain to be a period in which British organisations will be subject to the GDPR in the same way as those in other member states.

The situation is unlikely to change significantly after Britain leaves the EU.

Durrani explains: “If we want to continue trading with the rest of Europe, we will be required to achieve ‘adequacy’ on data protection, which means achieving standards that are at least equal to the rest of the EU. So, whatever model Britain chooses after Brexit, there isn’t a scenario in which we won’t have to comply with the principles of GDPR.”

There have been instances, highlighted in the media, in which charities have failed to handle sensitive data properly, and the penalties for such failings are set to increase under new EU data protection rules.

In this article, we discuss what your charity needs to know about the EU General Data Protection Regulation (GDPR) – which will replace the Data Protection Act when it comes into force in May 2018 – and explain how it may impact your organisation.

GDPR – the key changes

The GDPR may introduce a number of changes affecting organisations responsible for processing personal data, including:

A requirement to report data breaches to the Information Commissioner’s Office (ICO) within 72 hours of discovery

A broadened definition of personal data (see boxout), including online identifiers, such as a person’s IP address

A requirement to obtain parental consent for processing the data of children under the age of 16 (there will be exemptions, e.g. charities that offer confidential helplines)

Yasmin Durrani, Data Protection Officer at Zurich, says: “The higher penalties will represent a risk for charities, although I don’t think the ICO will start issuing huge fines to charities in the first instance, unless they have knowingly been guilty of misconduct.

“If charities get the basics right, the risks may be lowered considerably.”

Developing robust systems for processing data

So, what should you do to ensure your systems for processing personal data are robust?

Durrani says: “First of all, you need to understand what data you process, so that you can classify it. Not every type of data will be personal and therefore within the scope of these regulations.

“You should have robust retention schedules, which specify the retention period for each type of data. Ensure that you only keep personal data as long as it is necessary.

“The next step is to understand where geographically your data is kept. As part of this, you should consider carefully all your arrangements for sharing data with third parties.”

How different sizes of charity will be affected

Before considering whether or not you need to do anything differently in order to comply with the GDPR, you should examine the details of the GDPR carefully, as some of the new requirements will only apply to larger organisations.

Durrani says: “Organisations that carry out regular and systematic monitoring of individuals on a large scale are required to appoint a Data Protection Officer, as well as comply with certain requirements regarding record-keeping.”

Educate on data breach notification requirements

You should ensure that your staff and volunteers are aware of the requirement for reporting data breaches within 72 hours – and that they understand what constitutes a data breach.

Durrani says: “If an employee or volunteer sends an email to the wrong person, quickly identifies their mistake, and then resends the email to the right person, they will often not consider that a data breach, but this kind of incident should be reported.

“It’s important that you give your staff the tools to report data breaches, but also the confidence that they will not face repercussions for doing so.”

Protecting data isn’t just about complying with rules

Although the GDPR will not come into force for another two years, the management of data remains a vital issue for charities today.

Durrani says: “Data analytics can help you to discover and explore new markets, and if you are really serious about running an efficient organisation that will grow and flourish, you need good governance and good standards of managing data – it’s the key to your long-term sustainability.”

Zurich Insurance plc is authorised by the Central Bank of Ireland and authorised and subject to limited regulation by the Financial Conduct Authority. Details about the extent of our authorisation by the Financial Conduct Authority are available from us on request.